Uber’s Intranet Compromised Via Social Engineering

Summary

CloudSEK DRP discovered a threat actor claiming to have compromised Uber, the American mobility service provider. To demonstrate the legitimacy of the claims, the actor has posted unauthorized messages on the HackerOne page of the company.
 
Category: Adversary Intelligence Industry: Business Services Region: Global Source*: C2

Executive Summary

THREAT IMPACT
  • Uber’s Amazon Web Service, Duo, GSuite, and other platforms compromised.
  • Access leaked to the internal network(Intranet) *.uberinternal.
  • Social engineering employed as an initial attack vector.
  • Obfuscation of the application code.
  • Leak of sensitive & critical information.
  • Multiple account takeovers.
  • Equip malicious actors with details to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.

Analysis and Attribution

Information from Open Source

  • On 16 September 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor claiming to have compromised Uber, the American mobility service provider.
  • Uber has confirmed the above claims and responded to the incident by stating that it is in contact with law enforcement agencies.
  • The threat actor was able to compromise an employee's HackerOne account to access vulnerability reports associated with Uber.
  • To demonstrate the legitimacy of the claims, the actor has posted unauthorized messages on the HackerOne page of the company.
  • Moreover, the attacker has also shared several screenshots of Uber's internal environment including their GDrive, VCenter, sales metrics, Slack, and the EDR portal.
Official Tweet by the Uber Communication
Official Tweet by the Uber Communication
 

Information from the Samples

CloudSEK’s Research team analyzed the sample snapshots shared by the threat actor, which implied access to the following assets:
  • Domain admin
  • Intranet network
  • Amazon Web Service console
  • Google Cloud Platform console
  • VMware vSphere admin
  • GSuite (Workspace) email admin dashboard
  • HackerOne reports and other details
  • Confluence Pages
  • Financial data
  • Multiple code repositories
(For more information refer to the Appendix)

Techniques, Tactics, and Procedures (TTPs)

  • The actor employed social engineering techniques as an initial attack vector to compromise Uber’s infrastructure.
  • After attaining access to multiple credentials, the actor exploited the compromised victim’s VPN access to:
    • Pivot and escalate privileges inside the internal network
    • Scan the internal network(Intranet) for access
  • Subsequently, the actor gained access to an internal network(Intranet) *.corp.uber.com where the actor got access to a directory, plausibly with a name share”, which provided the actor with numerous PowerShell scripts that contained admin credentials to the privilege access management system (Thycotic).
  • This enabled the actor with complete access to multiple services of the entity such as Uber’s Duo, OneLogin, AWS, Gsuite Workspace, etc.
Pictorial Representation of threat actor’s TTPs for compromising Uber
Pictorial Representation of threat actor’s TTPs for compromising Uber
 

Impact & Mitigation

Impact Mitigation
  • Obfuscation of the application code, hindering the usability of the application.
  • Leaked credentials and access could facilitate multiple account takeovers.
  • Leaking of sensitive and critical information of the entity.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Reputational damage for Uber.
  • Training of employees against social engineering attacks and techniques.
  • Implement a strong password policy and enable MFA across logins.
  • Create specialized users and groups with minimum privileges.
  • Close unused ports and limit file access.
  • Patch vulnerable and exploitable endpoints.
  • Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Scan repositories to identify exposed credentials and secrets.

References

Appendix

Sample screenshot shared by the actor depicting VSphere VM workstation with *corp.uber.com access
Sample screenshot shared by the actor depicting VSphere VM workstation with *corp.uber.com access
 
Threat actor’s message on the company's Slack Channel with hashtag “uberunderpaisdrives”
Threat actor’s message on the company's Slack Channel with hashtag “uberunderpaisdrives”
 
Threat actor’s comment using the HackerOne account.
Threat actor’s comment using the HackerOne account.
 
The alleged actor revealing the TTP of the attack
The alleged actor revealing the TTP of the attack

Table of Contents

Request an easy and customized demo for free